ICS Security Certifications

Last week there was an entertaining SCADASEC thread on the new SANS/GIAC Global Industrial Cyber Security Professional (GICSP) certification. To get your GICSP you take the 5-day SANS Course ICS410: ICS/SCADA Security Essentials and then get 69% or better on the 3-hour, 115-question GICSP test.

Most of the SCADASEC posts had a negative or very negative view of the GICSP certification. And then Michael Assante from SANS chimed in to defend the certification:

Wow, I am not sure why an industry collaboration involving some of the most respected control system architects, process control engineers, developers, security professionals would provoke so much speculation and emotion from a few people that were not involved. How does something that was guided and developed by a number of major DCS users, DCS/SIS suppliers, and integrators get so much wrong according to simple web reviews? The goal of the GICSP stakeholders was to identify through a rigorous effort the competencies that were important to support ICS security efforts. The exam was developed with an equal mix of essential elements of engineering, safety, and control system and cybersecurity concepts and approaches appropriate for this important environment. I would encourage anyone to look deeper than the website before forming or entrenching an opinion.

What was serendipitous and amusing was the very same day in a SANS Newsbyte Michael politely found the NIST Cybersecurity Framework lacking:

I applauded the President’s action and prioritization of the series of problems we identify with cyber threats and I appreciate that NIST called out the need to address operational technology (specifically automation and ICS) alongside of traditional information technology. At this stage we should have taken the opportunity to explain the real “what” (nature of cyber threats) and the practical “how” to enhance our collective cybersecurity posture. I believe “how” in this context is composed of two major dimensions – what actually works (for the threats that the Executive Order is addressing – those that are directed and structured) and what can be implemented in a prioritized fashion with reasonable effort (achievable competencies and capabilities). There are good elements and concepts in the framework but we are missing an opportunity to explain, prioritize, and define.

Loyal blog readers know that I’m never reticent with criticism of industry efforts. What’s new in ICS is we have a growing number of standards, certifications and frameworks that could result in a seal of approval on a person, vendor product/system or installation. How should we consider and view these certification efforts?

After giving this some thought over the past week, I believe we should determine:

  1. does the certification accurately portray the skill set / security posture that is being certified?
  2. Is that skill set / security posture of value to the ICS community?

Using the GICSP as an easy example:

  • Five days of instruction is provided on ICS Security Essentials, and then a test on the material covered in those five days must be passed. So basically it is a certification that an individual has taken and passed a five day course. No more and no less. SANS/GIAC states, “This certification will be leveraged across industries to ensure a minimum set of knowledge and capabilities that IT, Engineer, and Security professionals should know if they are in a role that could impact the cyber security of an ICS environment. “On one hand, “a minimum set of knowledge and capabilities” is a low bar that may be appropriate for a five day course. On the other hand the title of the certification is Global Industrial Cyber Security Professional, which can only be misconstrued to mean more than taking a five day course on the minimum set of knowledge and capabilities. VERDICT: By the name alone, the GICSP certification is misleading. It tests to a minimum set of knowledge and capabilities, or ICS Security Essentials, and then certifies someone who knows these minimums as a professional.
  • Is knowledge of the security essentials taught and tested valuable to the ICS community?
    VERDICT: Yes. It looks like a helpful course for engineers and IT security types. Is it perfect? No, as many of the SCADASEC comments pointed out. It will improve over time, and all in the ICS community are unlikely to ever agree on what the essentials are.

If the certification was ICS Security Essentials Certified it would be a clear winner.

A faster analysis on two ISA certifications.

ISA99/IEC 62443 Cybersecurity Fundamentals Specialist Certificate

You must take a two-day ISA course and then pass a test. Both the title of the certificate, with the word Fundamentals, and the description on the web site are accurate. It is a harder call on whether this certificate is valuable to the community. The training course is of value to help use the ISA standards, but recognizing the knowledge learned in a two day class is borderline.

ISASecure EDSA (Embedded Device Security Assurance)

I’ve covered in numerous articles that labeling a PLC that passes EDSA level 1 testing as anything with the word Secure in it is embarrassing and highly misleading. Even the best part of the certification, the communication robustness testing, does not test the control system protocol stack.

Is it of value to the community? Level 1 was of some value 3 to 5 years ago, but not now. Level 2 and 3 certification would definitely be of value and warrant the designation ISASecure. There is much to like about the structure of certification effort so hopefully it will get rid of the misleading ISASecure Level 1.

Final Thought

The best news is there are a number of quality ICS security training options available now. Beyond ISA and SANS, there are training courses from Jonathan Pollet/Red Tiger, Joel Langill/SCADAhacker, Justin Searle, DHS/INL and others. The value of a certification of completion doesn’t negate the value of the training options.